http-method not specified

Hi ranchers,
If you combine the errata of HFSJ book and the pages 634, 635, you'll end up confused.

Specific question is:
Wat wud happen if <http-method> element is not specified for a <url-pattern> in <web-resource-collection> of <security-constraint>

A. ALL http-methods are ALLOWED
B. ALL http-methods are CONSTRAINED

I think the answer shd be A. Please pour in your views

Guys, any views on this one?

Hi Kejal,
Even I think the answer should be A.
Cheers,
John

I think this will also depend on the role names specified under auth-constraint tag

How?

if you specify http method as get and role as Admin in auth constraint
then this means that only Admin can use get method to access the resource

however all other methods are unconstrained and can be accessed by all

wat you say is indeed true IF we specify any http-method. WAT IF we DON'T specify any http-method.

1) If http-method does not exist, then ALL methods are BLOCKED for ALL USERS
2) If <auth-constraint> does not exist, ALLOW ALL USERS w/o authentication
3) If <auth-constraint> exists but <role-name> does not exist then NO USERS ARE ALLOWED.

refer pg 636 HFS.

Yep, tat's wat my query was. If you mix the errata and page 636, we end up all confused. Here's the errata

{634} hand written comment at the bottom;
"If there were NO <http-method> elements in the <web-resource-collection>, it would mean that NO HTTP Methods are allowed, by ANYONE in any role."
should be:
"If there are NO <http-method> elements, in the <web-resource-collection>, it would mean that ALL HTTP Methods are allowed."

and here's teh link for quick ref. http://www.oreilly.com/catalog/headservletsjsp/errata/headservletsjsp.confirmed

I think:
if NO http-method specified -> ALL ALLOWED. If we think, this makes sense. The security-constraint element mentions the http-methods to be "constrained". Also, if you mention only GET in http-method, its constrained, but others, POST, PUT... are allowed. Goin by the same logic, NO http-method would mean, ALLOW ALL methods.

I think i'll try and let you guys know.

"If no <http-method> element is present, then the constraint applies to all of the HTTP methods."
- SCWCD, Hanumant Deshmukh.

Phew! finally, i manged to try this out on jsp-examples provided with Tomcat5 installation.

http-method auth-constraint result
---------------------------------------------------------------------
none none OK. no login asked
none blank 403 forbidden
none role-name tomcat valid login allowed
invalid login not allowed

GET none OK. no login asked
GET blank 403 forbidden
GET role-name tomcat valid login allowed
invalid login not allowed

Verdict:
no http-method specified, ALL allowed, and it really depends on the auth-constraint.

Originally posted by Kejal Shah:

Verdict:
no http-method specified, ALL allowed, and it really depends on the auth-constraint.

Hi Kejal. Actually the spec says the opposite (p. 133 of 2.4 servlet spec)!
no http-method specified, ALL CONSTRAINED
Check out this thread (specially the last post).
http://www.coderanch.com/t/170057/java-Web-Component-SCWCD/certification/security-constraint
[ July 28, 2005: Message edited by: Leandro Melo ]